Attackers are using large language models (LLMs) in so-called LLM hijacking exploits, passing the cost of cloud bills onto companies and individuals.
In the summer of 2024, an Amazon Web Services (AWS) user noticed a spike in his bill. He received a cost alert showing that his expenses, which were typically $2 a month, had reached over $700 in just a couple of hours before stretching to thousands of dollars.
It made him realize that he had been targeted by attackers, who drove his expenses up by reportedly using the Claude 3 Opus model.
According to Crystal Morin, a cybersecurity strategist at US-based cybersecurity company Sysdig, AWS corrected the user's bill. Morin found out about the instance by reaching out to the user after he posted his findings on X.
However, many companies, who pay tens or thousands of dollars for their cloud provider every month, may not even be aware that cybercriminals are silently using LLMs, in what is called an LLM hijacking exploit.
Similar to cryptojacking, when a computer infected with malicious software is used to mine cryptocurrency, malicious actors hijack LLMs by stealing companies’ credentials and accessing the cloud environment.
In recent research, Sysdig’s Threat Research Team found that attackers had already gained access to both V-3 and R1 models just days after the Chinese startup DeepSeek released them.
“They've expanded their tactics. We think that they want to test what models they can access and use and how far they can go with each one,” Morin explains.
She says that more companies are becoming aware of the threat. Microsoft recently initiated legal action against a “foreign-based threat actor group” that develops sophisticated software exploiting exposed customer credentials from public websites.
How it works
After obtaining credentials for a company’s cloud service or getting API keys with particular apps, often on the dark web, attackers run a script to identify whether the credentials belong to a certain model.
According to Morin, they use LLMs for all kinds of services, from bypassing sanctions and generating malicious code to conducting role-playing games.
The expenses for such unauthorized use may be quite high.
“When you have one or several attackers that are using your LLM consistently, it can get very expensive, very fast,” Morin says.
Attackers often use OAI Reverse Proxy (ORP), which acts as a reverse proxy server for LLMs of various providers. ORPs can be used to bypass access restrictions, avoid rate limits, and mask malicious activities by routing requests through an intermediary server.
Sysdig found that DeepSeek-V3 was implemented in an ORP instance hosted on the open-source platform HuggingFace just days after its release. One instance was found with 55 DeepSeek API keys already populated and in active use.
Morin says that DeepSeek can be run at a fraction of the cost compared to other LLMs. Calculations by Sysdig using OpenAI’s o-3 model show that monthly expenses for using Deepseek in the cloud can reach over $7,000, while the cost of running a GPT-4 Model can be over $580,000.
Morin notes that it may be easier for attackers to exploit DeepSeek for malicious purposes.
“Enkrypt AI found more risk and toxicity using DeepSeek than other AI models, meaning there are fewer guardrails built in. In essence, DeepSeek gives users more freedom to do as they please with their prompts.”
How to protect yourself
According to Sysdig, companies must protect their cloud services not only because of the costs incurred from unauthorized usage but also because of the potential for data leaks.
Access keys are a major attack vector, so companies should make sure that they protect them by using temporary credentials and rotating access keys.
If an attacker can obtain access keys or compromise credentials, detecting the illegal use may not be easy.
“This isn't like other attacks where you can just set one kind of detection. It’s actually very challenging,” Morin says.
One way to help spot unauthorized use is through high-cost alerts. These aren’t enabled by default, so companies should enable them manually.
In addition, security teams should monitor baseline usage in organizations. Anomalies or huge spikes may be a sign that their cloud infrastructure may be used by an attacker, Morin says.
Your email address will not be published. Required fields are markedmarked